Closed Bug 1202186 Opened 5 years ago Closed 5 years ago

Hide password in calls of console.log() and console.error()

Categories

(DevTools :: General, defect)

defect
Not set

Tracking

(firefox43 fixed)

RESOLVED FIXED
Firefox 43
Tracking Status
firefox43 --- fixed

People

(Reporter: dragana, Assigned: Gijs)

References

Details

(Keywords: csectype-disclosure, sec-low, Whiteboard: [adv-main43-])

Attachments

(1 file)

Calls of console.log(...) and console.error(...) will show password in uri. It should be hidden.

Bug 1197791 will add GetAnonymousSpec() function to nsIURI to hide the password. It can use this function
Group: firefox-core-security
Depends on: 1197791
Does this still need to happen? AFAICT this has been fixed at the core level?
Flags: needinfo?(dd.mozilla)
If you mean that bug 197791 has fix this. No, it did not fix this problem. console.log() and console.error() do not use nsScriptError. I have open this bug because I do not know this code to decide where is the right place to fix it. The fix is easy if you know the right place.
Flags: needinfo?(dd.mozilla)
I don't have access to bug 1197791 to see what the fix looks like, but presumably you'd want to make the same changes to Console.cpp.
Bug 1202186 - use nsISensitiveInfoHidden for console methods, r?past
Attachment #8660890 - Flags: review?(past)
To be clear, I don't know the code here well enough to be sure this is comprehensive enough, but it seemed to work in my very very very limited testing. I also don't know if/which tests are likely to break because of this change.
Comment on attachment 8660890 [details]
MozReview Request: Bug 1202186 - use nsISensitiveInfoHidden for console methods, r?past

baku knows this code better than me.
Attachment #8660890 - Flags: review?(past) → review?(amarchesini)
Comment on attachment 8660890 [details]
MozReview Request: Bug 1202186 - use nsISensitiveInfoHidden for console methods, r?past

https://reviewboard.mozilla.org/r/19213/#review17159

lgtm!

::: dom/base/Console.cpp:39
(Diff revision 1)
> +#include "nsISensitiveInfoHiddenURI.h"

alphabetic order. Move it to line 38.

::: dom/base/Console.cpp:1224
(Diff revision 1)
> +      event.mFilename.Assign(NS_ConvertUTF8toUTF16(spec));

CopyUTF8toUTF16(spec, event.mFilename);
Attachment #8660890 - Flags: review?(amarchesini) → review+
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED
https://hg.mozilla.org/mozilla-central/rev/4aa1e0f5013b
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 43
Whiteboard: [adv-main43+]
Alias: CVE-2015-7221
Alias: CVE-2015-7221
Whiteboard: [adv-main43+] → [adv-main43-]
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.